I have an ASP.NET MVC application into which I have just integrated the RPX third-party federated identity system. The integration is working ok, but I'm having some difficulty wrapping my head around what to do with it at the ASP.NET level.
我有一个ASP.NET MVC应用程序,我刚刚集成了RPX第三方联合身份系统。集成工作正常,但是我在ASP.NET级别处理它有什么困难。
Because the identity is handled externally, I have no need for passwords in my app: I never receive the user's password, just their identity. However, the ASP.NET Membership Provider stuff requires passwords be passed around in order to create a user, sign a user in, etc.
因为身份是在外部处理的,所以我的应用程序中不需要密码:我从未收到用户的密码,只是他们的身份。但是,ASP.NET成员资格提供程序的东西需要传递密码才能创建用户,签署用户等。
I've been considering using new Guid() at creation time, but this would require a call to the database to retrieve the user's password before I could sign the user in via the membership provider. I could use the same password for each user so that it's known in advance, but I'm concerned that this would make my user's data insecure.
我一直在考虑在创建时使用新的Guid(),但这需要在我通过成员资格提供者签署用户之前调用数据库来检索用户的密码。我可以为每个用户使用相同的密码,以便事先知道,但我担心这会使我的用户的数据不安全。
I'd be interested to hear how other sites handle this issue, e.g., *.
我很想知道其他网站如何处理这个问题,例如*。
[Please also see my other question, regarding membership providers for such an app.]
[另请参阅我的其他问题,关于此类应用的会员提供商。]
2 个解决方案
#1
but I'm concerned that this would make my user's data insecure.
但我担心这会使我的用户的数据不安全。
Start by ensuring that noone can authenticate directly against your database using a username and password - I imagine this is already the case as you are using RPX to do the actual authentication, and you are only invoking the ASP.NET membership provider once you have already established the user's identity.
首先确保没有人可以使用用户名和密码直接对您的数据库进行身份验证 - 我想这已经是这种情况,因为您使用RPX进行实际身份验证,并且您只是在调用了ASP.NET成员资格提供程序之后建立了用户的身份。
Then, the password stored on your side becomes immaterial, because it's not a secret - if I can work out what someone's password is on your side, it doesn't suddenly compromise their data because I still can't login using that information. The user's secret is managed by the 3rd party provider, not you.
然后,存储在您身边的密码变得无关紧要,因为这不是秘密 - 如果我能弄清楚某人的密码在您身边,它不会突然危及他们的数据,因为我仍然无法使用该信息登录。用户的秘密由第三方提供商管理,而不是您。
So you might as well store what is most convenient (ie a well-known dummy value) - you might as well turn off password encryption as well on the membership provider, to get back some cycles on the server. No point in encrypting / hashing values that aren't used to verify anyone's identity.
因此,您可以存储最方便的内容(即众所周知的虚拟值) - 您也可以在成员资格提供程序上关闭密码加密,以恢复服务器上的某些周期。加密/散列值没有用于验证任何人的身份。
#2
Why use asp.net membership then? It doesn't really fit into you what you are doing which is 3rd party authentication. Maybe you could have a look at the dotnetopenid project and examples as they have a classic asp.net site example which you could modify for mvc? They have a wiki here Maybe google dotnetopenid mvc?
为什么要使用asp.net会员呢?它并不真正适合您正在进行的第三方认证。也许您可以查看dotnetopenid项目和示例,因为他们有一个经典的asp.net站点示例,您可以修改为mvc?他们在这里有一个wiki也许google dotnetopenid mvc?
#1
but I'm concerned that this would make my user's data insecure.
但我担心这会使我的用户的数据不安全。
Start by ensuring that noone can authenticate directly against your database using a username and password - I imagine this is already the case as you are using RPX to do the actual authentication, and you are only invoking the ASP.NET membership provider once you have already established the user's identity.
首先确保没有人可以使用用户名和密码直接对您的数据库进行身份验证 - 我想这已经是这种情况,因为您使用RPX进行实际身份验证,并且您只是在调用了ASP.NET成员资格提供程序之后建立了用户的身份。
Then, the password stored on your side becomes immaterial, because it's not a secret - if I can work out what someone's password is on your side, it doesn't suddenly compromise their data because I still can't login using that information. The user's secret is managed by the 3rd party provider, not you.
然后,存储在您身边的密码变得无关紧要,因为这不是秘密 - 如果我能弄清楚某人的密码在您身边,它不会突然危及他们的数据,因为我仍然无法使用该信息登录。用户的秘密由第三方提供商管理,而不是您。
So you might as well store what is most convenient (ie a well-known dummy value) - you might as well turn off password encryption as well on the membership provider, to get back some cycles on the server. No point in encrypting / hashing values that aren't used to verify anyone's identity.
因此,您可以存储最方便的内容(即众所周知的虚拟值) - 您也可以在成员资格提供程序上关闭密码加密,以恢复服务器上的某些周期。加密/散列值没有用于验证任何人的身份。
#2
Why use asp.net membership then? It doesn't really fit into you what you are doing which is 3rd party authentication. Maybe you could have a look at the dotnetopenid project and examples as they have a classic asp.net site example which you could modify for mvc? They have a wiki here Maybe google dotnetopenid mvc?
为什么要使用asp.net会员呢?它并不真正适合您正在进行的第三方认证。也许您可以查看dotnetopenid项目和示例,因为他们有一个经典的asp.net站点示例,您可以修改为mvc?他们在这里有一个wiki也许google dotnetopenid mvc?